New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic policy composition #12
Conversation
Signed-off-by: Anders Eknert <anders@eknert.com>
Signed-off-by: Anders Eknert <anders@eknert.com>
Signed-off-by: Anders Eknert <anders@eknert.com>
Signed-off-by: Anders Eknert <anders@eknert.com>
Signed-off-by: Anders Eknert <anders@eknert.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a couple minor comments. I think we'll need to test out this composition model with the system type framework in DAS.
import future.keywords | ||
|
||
deny[msg] { | ||
input.resource.properties.SecurityGroupIngress[0].CidrIp == "0.0.0.0/0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if there are multiple elements in the security group ingress collection? Should we use some
instead?
some ingress in input.resource.properties.SecurityGroupIngress
ingress.CidrIp == "0.0.0.0/0"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Heh, yeah I thought of this too when I read this today, and made a note to check later (I only moved this code). Will follow up on this after the PR.
Signed-off-by: Anders Eknert <anders@eknert.com>
This adds dynamic routing / policy compositon based on the input.resource.type, mapping something like
AWS::S3::Bucket
to thedata.aws.s3.bucket
package, where the deny rule(s) will be evaluated, and the result aggregated into the decision. Moved and remodeled the policies and tests to work with this.Since it's been a while since I worked a full day on policy authoring, here are some random thoughts and findings from this experience:
opa inspect -a
wasn't intuitive to me for this purpose. It still seems to want a bundle file, although I'm only interested in inspecting annotations in my rego files.That way we could apply schemas to all subpackages with a single declaration 馃く 馃殌
opa fmt
is pretty annoying, in particular for test files where we construct lots of maps manually. These don't take line length into account, and sometimes makes a well structured map compressed into a single 300 chars long line 馃うopa fmt
, also got burnt byopa fmt
indentation issues withwith/as
statements聽open-policy-agent/opa#4376